VPC Your VM in the Cloud

Saverio Proto [email protected] HPC Advisory Council

© 2017 SWITCH | 1 Infrastructure & Data Services

Your added value

Our customers

Our offer

© 2017 SWITCH | 2 Your added value

SWITCH made – Swiss made

• Swiss law and data location • Scalable storage and computing power on demand with immediate availability in accordance to the need of – and controlled by – the institutions • Flexible usage and charging model, no up-front investment

• Simple administration; integrated into the academic network of SWITCH; security and identity services included • Support for academic use cases • Created together with you

© 2017 SWITCH | 3 Our customers

Higher education • Cantonal universities • ETH domain with research institutions • Universities of applied sciences • Universities of teacher education

University-related organizations • Spin-Offs • Research institutions • eLearning Center • University hospitals

© 2017 SWITCH | 4 Our offer

• SWITCHengines • Virtual Private Cloud (VPC) • SCALE-UP (Project)*

* For developing academic services with 9 universities, as part of the „Scientific Information“ projects mandated by swissuniversities.

© 2017 SWITCH | 5 SWITCHengines

Customer tailored computing and storage performance for universities, research and teaching –further developed in the SCALE-UP project mandated by Swiss universities.

Customers Services • Universities • SWITCHengines (IaaS) • Research • Virtual Private Cloud (VPC) institutions • SCALE-UP (academic project) • eLearning Center • University hospitals Your benefits • Spin-Offs • Your data in Switzerland • Integrated network and security • Support for academic use cases • Simple administration and billing • Created together with you

© 2017 SWITCH | 6 Virtual Private Cloud

Goal • Integration of Cloud VMs in campus network (bring behind firewall).

Benefits • Access to internal services from VMs. • Use Cloud VMs to enhance redundancy. • Use Cloud VMs to scale out local the infrastructure.

© 2017 SWITCH | 7 7 SCALE-UP WP10: Virtual Private Cloud

Terms • SWITCHengines: SWITCH IaaS (Infrastructure as a Service), running on OpenStack

• SCALE-UP WP10 is about Virtual Private Cloud (VPC).

Persons Involved • Fachhochschule St. Gallen (FHSG): Tom Schönenberger (work package leader), Stephan Gerber • SWITCH: Patrik Schnellmann, Saverio Proto, Alexander Gall, Harald Staub

© 2017 SWITCH | 8 8 Example Use Cases

Example Use Cases of FHSG • Domino Server, e.g. Web Server • Windows Domain Controller, e.g. DNS Server

© 2017 SWITCH | 9 9 Solution

Tunnel in 2 Parts • Cross the backbone (not cloud-specific).

• In SWITCHengines connect a Tenant network to a physical network • In routing at L3 • In bridging at L2

© 2017 SWITCH | 10 10 Tunnel Part: Cross Backbone

• Layer 2 Connection • VPN box managed remotely by SWITCH Global LAN as an appliance. • ALX Box (Agile LAN eXtender)

© 2017 SWITCH | 11 11 Tunnel Part: OpenStack

OpenStack “Provider Network” • Layer 3 Connection

© 2017 SWITCH | 12 12 Openstack Integration Configs

• /etc/neutron/plugins/ml2/ml2_conf.ini – type_drivers = flat,vxlan,vlan

• On the network node • plugins/ml2/openvswitch_agent.ini – bridge_mappings =physnet1:brex,physnet2:br-eth4

© 2017 SWITCH | 13 13 Openstack operators part

# With ADMIN credential openstack network create --no-share \ --project \ --provider-physical-network physnetN \ --provider-network-type flat UUID-p2p-net

© 2017 SWITCH | 14 14 Openstack user part – subnets

# With USER credential openstack network create --no-share cloudcampus neutron subnet-create --allocation-pool start=10.250.250.100,end=10.250.250.200 -- name cloudcampussub --gateway 10.250.250.1 cloudcampus 10.250.250.0/24 neutron subnet-create --name p2p UUID-p2p- net --disable-dhcp --gateway 195.176.16.126 195.176.16.0/24

© 2017 SWITCH | 15 15 Openstack user part - router neutron router-create vpnrouter neutron router-interface-add \ vpnrouter p2p neutron router-interface-add \ vpnrouter cloudcampussub openstack router set --route \ destination='0.0.0.0/0',gateway='195.176.16. 1' vpnrouter

© 2017 SWITCH | 16 16 Tunnel Part: OpenStack

OpenStack “l2gw” Neutron Plugin • Layer 2 Connection

© 2017 SWITCH | 17 17 Openstack operators l2-gateway-create --device \ name="myphyswitch",interface_names=”ethX” \ customername l2-gateway-connection-create \

© 2017 SWITCH | 18 18 ALX Box Hardware

• Advantech networking appliance • Several 1GE interfaces. • Typically one 1 GE interface for IPMI and Access. • Dual 10 GE. • Single CPU Socket: Intel Xeon 4 Core • Redundant Power Supply

© 2017 SWITCH | 19 19 ALX Box Requirements

Requirements: • IPv6 • MTU >> 1’500 on router → • Both requirements already fulfilled by SWITCH router (no restrictions for the university network). • Box can be placed deeper inside the university site (more flexible than MPLS)

© 2017 SWITCH | 20 20 ALX Software

• NixOS: Linux distribution with good handling of Releases (precise definition, easy upgrades and rollbacks) • Snabb: toolkit for fast networking in user space (Lua) • l2vpn: Layer-2-VPN (Snabb application) • ALX (Agile LAN eXtender) → • written by Alexander Gall, SWITCH

© 2017 SWITCH | 21 21 Alternatives to VPC

• OpenStack VPNaaS • Dedicated VPN VM • VM including VPN Client

© 2017 SWITCH | 22 22 Next Steps

• Pilot phase with FH St. Gallen • Further deployments in 2017 as limited Beta • OpenStack Neutron L2-GW • Interested ? please contact: Saverio Proto [email protected]

© 2017 SWITCH | 23 23 SWITCH – an integral part of the Swiss academic community since 1987.

www.switch.ch/30years

© 2017 SWITCH | 24